This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “RE: Instructions de transfert ” pretends to come from RBC Royal Bank of Canada but actually comes from “3SERVICEGROUPMTL3@R0YALBANK.COM” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. You need to look very carefully to see the 0 (zero) in the fake domain name instead of the O. It is slightly clearer in lowercase, but still close enough to confuse many recipients (r0yalbank.com.). This is why the criminals have used upper case in the from line today. These have a malicious office file attachment. Today they are using XLSM Excel spreadsheet files.
These are obviously aimed at French Canadian speakers. The main content of the email is written in French, not English. There also seem to be a few changes to the trickbot binaries and modules again today.
RBC Banque Royale, Banque Royale du Canada, Royal Bank of Canada has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.
What has happened is that the criminals sending these have registered various domains that look like the genuine Company, Bank, Government Department or message sending service. Normally there is only one newly registered domain that imitates a well known Company, Government Department, Bank or other organisation that can easily be confused with the genuine body or website in some way. These are hosted on & send the emails from 3 or 4 different servers. Some days however we do see dozens or even hundreds of fake domains.
Today’s example of the spoofed domain is, as usual, registered via Godaddy as registrar. Because of new GDPR rules we cannot easily find the registrants name or any further details.
- R0YALBANK.COM hosted on & sending emails via 126.96.36.199 | 188.8.131.52 | 184.108.40.206 | 220.127.116.11 |
You can now submit suspicious sites, emails and files via our Submissions system
From: Commercial Service Team MTL 3 <3SERVICEGROUPMTL3@R0YALBANK.COM>
Date: Mon 11/02/2019 18:02
Subject: RE: Instructions de transfert
Afin de compléter votre demande, nous avons besoin de vous pour compléter la lettre ci-jointe avec instructions ou transférer les fonds et signataires autorisés.
Vous pouvez mettre le compte à zéro et nous faire parvenir un courriel avec deux des signataires en copie conforme.
Merci et Bonne Journée
Si tu as besoin de plus d’informations, n’hésite pas a m’appeler.
Rosa Cho, Céline Henderson, Sophie Savoie & Josiane Wong Kee Song │ Conseiller service commerciaux, équipe service à la clientèle commerciale│ RBC Banque Royale │ Banque Royale du Canada │1 Place Ville Marie – 2e étage, aile Ouest, Montréal QC, H3C 3A9│Tél: 1-877-421-4865 (Opt 1-1-3 ) │
If you received this email in error, please advise the sender (by return email or otherwise) immediately. You have consented to receive the attached electronically at the above-noted email address; please retain a copy of this confirmation for future reference. You may unsubscribe from promotional emails.
Si vous recevez ce courriel par erreur, veuillez en aviser l’expéditeur immédiatement, par retour de courriel ou par un autre moyen. Vous avez accepté de recevoir le(s) document(s) ci-joint(s) par voie électronique à l’adresse courriel indiquée ci-dessus; veuillez conserver une copie de cette confirmation pour les fins de reference future. Vous pouvez vous désinscrire de la liste d’envoi de courriels promotionnels.
Instructions.xlsm Current Virus total detections | Hybrid Analysis | Anyrun which for some reason only sees the first url sgc-fl.com and didn’t roll over to the second one when it got a bad reply. |However it did when I used fakenet & MITM ( anyrun) I assume that this is probably due to a badly written macro / powershell script where it will only roll over to the alternate download location if the first url fails to respond at all, not when the site is suspended or the actual file can’t be found..
Running this file via various settings in Anyrun gives some slightly different results
-  using MITM shows a DNS request to a tor site 6lwyu54ybblfuex6.onion but not much else ( I don’t think I left it running long enough) Rerunning this using MITM  does show a lot more ssl connections
-  using Tor with a CA exit node shows a full run but no actual tor connections.
-  using no interception or tor shows the same full run as  and the same tor site DNS request
There are also some changes to the downloaded addition versions of Trickbot:- Radiance.png (virustotal) which is copied to the SysDefrag folder as both log_install.tmp and dbase.dat. Then we have table.png (VirusTotal) both of which which looks like new versions today
The alternate Download location is http://sgc-fl.com/ca.kabs which was very quickly suspended by the hosting company
The folder for the files & configs is: C:\Users\[User]\AppData\Roaming\SysDefrag
Looks like they have kept on using the psfin64 ( point of sale stealing )module again today along with the other usual components we are used to seeing. PSfin64 was first seen in November 2018 but only briefly. Then Brad Duncan noticed it appearing again about 1 week ago.
All modern versions of word and other office programs, that is 2010, 2013, 2016 and 365, should open all Microsoft office documents that is Word docs, Excel spreadsheet files and PowerPoint etc that are downloaded from the web or received in an email automatically in “protected view” that stops any embedded malware, macros and DDE “exploit /Feature” and embedded ole objects from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks and do not over ride it to edit the document. If the protected mode bar appears when opening the document DO NOT follow the advice they give to enable macros or enable editing to see the content. The document will have a warning message, but you will be safe.
Be aware that there are a lot of other dodgy word docs spreading that WILL infect you with no action from you, if you are still using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007. Many of us have continued to use older versions of word and other office programs, because they are convenient, have the functions and settings we are used to and have never seen a need to update to the latest super-duper version.
The risks in using older version are now seriously outweighing the convenience, benefits and cost of keeping an old version going.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. Also please read our post about word macro malware and how to avoid being infected by them
I strongly urge you to update your office software to the latest version and stop putting yourself at risk, using old out of date software.
Main object- “Instructions.xlsm”
Main object- “ca.kabs”
Dropped executable file
sha256 C:\Users\admin\AppData\Roaming\SysDefrag\log_install.tmp e65a10fc594bf4ff7e577e9edd0eed5800ab9fcf589452b384d633c715ca800c